The Cybersecurity 202: Huawei accuses U.S. government of hacking it and threatening its employees

The simmering conflict between security officials and Huawei boiled over Tuesday when the Chinese telecom accused the U.S. government of trying to hack its networks and committing a slew of other abuses.

In addition to “launching cyberattacks to infiltrate Huawei's intranet and internal information systems,” Huawei accused the U.S. government of menacing its employees “to turn against the company,” urging other companies to bring unsubstantiated claims of wrongdoing against it and denying visas to Huawei employees.

The charges came in a bulleted list at the end of a news release that focused mainly on denying claims that Huawei has stolen other companies’ intellectual property.

Huawei has consistently rejected U.S. charges it assists Chinese government spying, but the long list of counter-accusations against the U.S. government — all offered without supporting evidence — marked a serious escalation of the company’s rhetoric.

The bottom line, the company said, is the United States is waging an unfounded battle “to discredit Huawei and curb its leadership position in the [telecom] industry.”

(2/4) We strongly condemn the malign, concerted effort by the U.S. government to discredit Huawei and curb its leadership position in the industry. No company becomes a global leader in their field through theft. Find out more: https://t.co/xVDt2lzwXxpic.twitter.com/WJjtRH7UuW

The counter-assault could help Huawei as it battles a U.S. effort to convince other nations to block the company from building its next-generation 5G wireless networks over espionage concerns, Graham Webster, a fellow at the New America think tank focused on China’s digital economy, told me.

“Huawei’s audience is never just the Americans,” Webster told me. “They’re concerned about Europe and other markets around the world and they may believe they can convince governments that are on the fence that the U.S. is acting in bad faith.”

Indeed, the charges came as Vice President Pence is in the midst of bad-mouthing Huawei to European allies. Pence signed a joint agreement with Polish Prime Minister Mateusz Morawiecki over the weekend pledging to cooperate on protecting the security of 5G networks against threats such as Huawei. He also urged Irish Prime Minister Leo Varadkar on Tuesday to eschew Huawei technology.

Other nations, including Britain and Germany, however, have been more hesitant to follow the U.S. lead on restricting the Chinese telecom. Just a handful of nations including Australia and Japan have adopted the U.S. stance.

Huawei’s charges also play into doubts about the Trump administration’s motives as it moves to restrict and penalize the company, including by barring U.S. firms from supplying Huawei with software and other components.

Those doubts have largely been spurred by President Trump, who has repeatedly suggested he may pull back some Huawei penalties as part of a broader trade deal with Beijing, suggesting the penalties are more about gaining leverage in trade negotiations than about national security.

“At this point the U.S. is just not as credible when it says it’s doing its duty and acting in an unbiased way because of the way the president has been acting,” Webster said.

Trump’s comments are especially damaging in this case, Webster told me, because many of Huawei's accusations — if true — could be chalked up to legitimate national security and intelligence operations.

Law enforcement officials, for example, routinely try to get compromising information from the employees of companies they suspect of wrongdoing — including stealing U.S. companies' intellectual property or assisting foreign government spying. And the NSA routinely tries to hack into foreign telecom networks to spy on U.S. adversaries.

But Webster said because the U.S. accusations against Huawei have been linked to the U.S.-China trade dispute, it’s a lot easier for Huawei to argue the Trump administration is doing it for other reasons.

“Even if [government agencies] are acting in a totally unbiased way, they, unfortunately, have a credibility problem because of the president,” he said.

Huawei did not respond to a query asking for details about the alleged U.S. cyberattacks against its networks.

The FBI and Justice Department declined to respond directly to the Huawei accusations.

A Justice Department official noted, however, that more than 80 percent of the economic espionage cases the department charges and 60 percent of its trade secret theft cases lead back to China and Chinese companies.

“This isn’t a case of looking at China and/or Chinese companies [and] asking what cases we make,” said the official, who spoke on the condition of anonymity to speak freely. “This is being contacted by victims, gathering and following the evidence at crime scenes, and more than 80 percent of the time having it lead back to China.”

You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.

Not a regular subscriber?

PINGED, PATCHED, PWNED

A driverless car camera. (Mark Kauzlarich/Bloomberg News)

PINGED: The increased use of artificial intelligence systems by government agencies for critical functions is giving hackers a new playground for cyberattacks, according to a report out today from the Belfer Center for Science and International Affairs at the Harvard Kennedy School obtained by The Cybersecurity 202. Failing to put safeguards in place could seriously raise the risk of damaging cyberattacks against U.S. military operations and other critical government functions, author Marcus Comiter warns.

Because AI hacks are extremely hard to prevent or identify, Comiter is urging the government to take precautions, including encrypting data that goes into AI systems and weighing the risks of using AI before implementing it. Failing to do so could lead to trouble as the United States races against technologically advanced rivals such as China to increase its use of AI in critical functions like military operations, he warns.

He pointed to a case where Facebook users were easily able to outsmart an AI-driven Facebook filter designed to stop users from uploading footage of a March mass shooting in New Zealand as one example of how weaknesses in AI tools could be exploited. Bloomberg News recently reported that the Defense Department is trying to create similar AI filters to prevent disinformation campaigns in the 2020 election. High-cost next-generation warfare projects, such as AI used to train autonomous drones, could also prove attractive targets to hackers, according to the report.

“AI is going to be a new field of confrontation between the [United States and China]” Comiter predicts. “Because we're trying to adopt it so quickly, we don't have the types of security measures in place that we need.”

PATCHED: The progressive group Stand Up America, which has been lobbying lawmakers to impeach President Trump, is launching a campaign today to pressure Senate Majority Leader Mitch McConnell (R-Ky.) and other Republicans to pass funding for election security. They're hoping to spur tens of thousands of calls to Senate Republicans who have been blocking Democratic legislation to provide $600 million in funding to secure the 2020 elections.

The group has already placed a billboard outside McConnell’s district office in Louisville urging Kentuckians to call his office. Other efforts will include texting hundreds of thousands of constituents urging them to call their senators to demand support for election security funding. Even before launching a formal campaign, the group has racked up more than 45,000 calls to Republican senators to encourage them to pass election funding, Sean Eldridge, president of the group told me.

Eldridge says the group is ramping up pressure to head off the Senate's end-of-the-month deadline to pass a spending bill to keep the government open.

“Every single American wants to walk into the ballot box and know their vote counts, and we won't know that unless the Senate passes election funding,” Eldridge says.

Correction: The original version of this item misstated the amount of election security funding sought by Democrats.

The Android logo is displayed on a Huawei smartphone. (Marko Djurica/Reuters)

PWNED: The price of a tool to hack into an Android phone is now more expensive than an iPhone equivalent on the underground market, Andy Greenberg at Wired reports. Zerodium, a firm that buys code that exploits weaknesses in software, reported a $2.5 million purchase yesterday for a technique allowing hackers to crack into an Android phone with as little as one click from the phone’s user, Greenberg reported. The report focuses on “zero day” hacking tools, which means they’re newly discovered and have never been exploited before.

The blockbuster sale shows that, for the first time, researchers may be finding Google’s Android operating system harder to hack than Apple's iOS. “The zero-day market is so flooded by iOS exploits that we've recently started refusing some of them,” Zerodium's founder Chaouki Bekrar told Wired.

Not all Android exploits fetch millions of dollars, Greenberg points out. But the report adds to mounting evidence that hackers are finding iPhones — which were once considered nearly unhackable — easier targets. For instance, Google researchers recently uncovered a two-year attack using infected websites that allowed hackers to access the private messages and personal information of thousands of iPhone users.

For years, an enduring mystery has surrounded the Stuxnet virus attack that targeted Iran’s nuclear program: How did the U.S. and Israel get their malware onto computer systems at the highly secured uranium-enrichment plant?

Reps. John Ratcliffe (R-Texas) and Ro Khanna (D-Calif.) will introduce a bill this week intended to modernize a Department of Homeland Security (DHS) program that ensures the cybersecurity of federal agencies.

The CEO of an energy firm based in the UK thought he was following his boss’s urgent orders in March when he transferred funds to a third-party. But the request actually came from the AI-assisted voice of a fraudster.

If your answer to this is a dismissively smug “just use paper ballots”, sure, paper ballots are important. But recognize that you’re addressing only a tiny part of a very complex problem space, and even that has notoriously difficult tradeoffs associated with it.

The thread ignited a heated debate over what a reliance on paper ballots would mean for disabled voters. Director of Cyber Risk Research at UpGuard Chris Vickery:

Regarding disabled voters- We already have assistive devices developed and deployed. If disabled voters (who require them) are the only people using machines to vote there is a massive shift in the risk vs. reward calculation for anyone attempting to manipulate those devices. 🙂

Worse, this could potentially involve tradeoffs between incomparable equities. What if there’s a clearly more accurate and usable vote casting/marking tech that’s also demonstrably less secure against certain attacks? How do we decide whether it’s acceptable? I have no idea.